Welcome to the Malware-as-a-Service Business Model

Highly organized Russian malware groups have developed a “malware-as-a-service” business model targeting mobile phones, particularly those on the Android platform. Android is the world’s most widely used mobile operating system

Highly organized Russian malware groups have developed a “malware-as-a-service” business model targeting mobile phones, particularly those on the Android platform. Android is the world’s most widely used mobile operating system and as the FBI announced recently (http://info.publicintelligence.net/DHS-FBI-AndroidThreats.pdf) it continues to be a primary target for malware attacks. This is partly due to its enormous popularity, but also its open platform, which makes it more attractive for malware writers.

The Russian organized malware crime scene has changed the game and mobile malware is now an industrial scale business that contains distributors, marketing affiliates, IT, development groups and customer support. As long as it remains profitable, we expect the spread of malicious mobile apps to continue.

While the source of many of these malicious apps is Russia, this can be hard to pinpoint as mobile is by its very nature mobile. So for example, the malware could be created in Israel within a game, uploaded to third party app store in China and someone in Belgium downloads the game for free. The malware author and the source is Israel but the malware is detected in Belgium.

How do users get infected?

The biggest percentage of malware comes from third party app stores and not the Google Play app store itself. It is for that reason that we advise users to keep the following ‘Unknown sources’ option unchecked as seen below: Those malicious apps are spread through massive websites that purport to be legitimate Google Play app stores and look like this: They look legit, but they are bogus and often contain fake apps of popular applications such as Gmail, Skype, Adobe reader, Opera browser etc. Malware authors also seek out developers to use malicious Software Development Kit(SDK) in legitimate applications. This usually incorporates a scam that sends an SMS to a service premium number from the user’s device to generate income for the scammers. You can see an example of the marketing used by these groups below. Example 1 – Money pours out of a smartphone Example 2 – Prizes are awarded to developers who hand over big numbers of users and are willing to incorporate SMSs that will make the malware authors’ rich.

Google has taken a few steps to shore up the Android platform and reduce the risk of malicious applications, in particular the ones that send SMSs to service premium numbers, which is the main method for monetizing malware. Since Android version 4.2 (http://developer.android.com/about/versions/jelly-bean.html) these new security features were introduced.

1) Application verification — Users can choose to enable “Verify Apps” and have applications screened by an application verifier prior to installation. App verification alerts the user if they try to install an app that might be harmful. If an application is especially dangerous, it blocks it.

2) Control of premium SMS — Android notifies you if an application attempts to send an SMS to a short code that uses premium services and might create additional charges. The user can choose whether to allow the application to send the message or block it.

3) Improved display of Android permissions — Permissions have been organized into easier to understand groups. During review users can click on the permission to see more detailed information. These improvements are a big step forward, however an up-to-date security solution gives you further protection and peace of mind. Adware detection changes and Google’s new policy Up to now most of the aggressive ad networks supply Android application developers with a SDK to integrate into their applications and once installed change the browser’s homepage. Google has made some changes to guard against these practices of the most aggressive ad networks and recently published their new ‘Developer Program Policies, which can be read here: http://play.google.com/about/developer-content-policy.html.

The new policy specifies (among other requirements): “Apps and their ads must not add homescreen shortcuts, browser bookmarks, or icons on the user’s device as a service to third parties or for advertising purposes.” This kicks off from 23 September and will cause the most aggressive Ad networks some issues and should mean fewer apps that push ads to the notification bar, interfere with a user’s bookmarks, or engage in behavior that affects the overall user experience. Some networks have already changed their SDK to offer developers aggressive ad components that are compatible with the new policy and will allowing them to continue to make money.